Apache Ambari - WEB Alerts - Don't Use HTTP Principal

Feb 25, 2018

Overview

Apache Ambari makes managing distributed systems like Apache Hadoop easier. One of the capabilities of Ambari is alerting. These alerts can alert administrators and trigger automatic recovery. While reviewing Apache Ranger audit logs, @quirogadf noticed that we had a lot of HTTP users being denied for the YARN service. @quirogadf looked into this closer and realized that the alert was using HTTP/_HOST@REALM instead of the ambari-qa user or another test user. @quirogadf opened AMBARI-23026 to inform the Apache Ambari community of this error.

Proper Ambari alerts user = ambari-qa

The proper Ambari alerts user is the ambari-qa user instead of HTTP/_HOST@REALM. The HTTP/_HOST@REALM principal is meant for authenticating web endpoints only. It is not meant to be used for authentication to other services. The Service Principal Name (SPN) of HTTP/_HOST is special and used for SPNEGO authentication with Kerberos. The ambari-qa user is a special user created by Ambari specifically for service checks and alerts.

What service alerts are using the HTTP/_HOST principal?

The below command finds all alerts.json files that use a kerberos_principal that isn’t ambari-qa (specified with smokeuser_principal_name).

What is next?

Big shout out to @quirogadf for tracking this down and creating AMBARI-23026. Follow AMBARI-23026 to see when this will be fixed upstream in Ambari. Currently it is tagged for Ambari 2.7.0 but has not been committed yet.